Unable to load the enclave while running the graphene-sgx helloworld

[ntk97]

Description of the problem

Not able to run the graphene-sgx helloworld from the graphene master branch

Using Ubuntu 20.04 and kernel version "Linux 5.11.0-051100-generic"

Steps to reproduce

Followed the steps mentioned in the document

Step-1 git clone https://github.com/oscarlab/graphene.git cd graphene Step-2 Prepare a signing key: openssl genrsa -3 -out Pal/src/host/Linux-SGX/signer/enclave-key.pem 3072 Step-3 Build Graphene and Graphene-SGX: sudo apt-get install -y autoconf bison build-essential gawk \ libcurl4-openssl-dev libprotobuf-c-dev meson protobuf-c-compiler \ python3 python3-click python3-jinja2 python3-pip python3-protobuf \ wget python3 -m pip install toml>=0.10 make make ISGX_DRIVER_PATH="" SGX=1 # this assumes Linux 5.11+ meson setup build/ --buildtype=release -Ddirect=enabled -Dsgx=enabled ninja -C build/ sudo ninja -C build/ install

Step-4 Build and run helloworld: cd LibOS/shim/test/regression make SGX=1 make SGX=1 sgx-tokens

graphene-sgx helloworld

The last command graphene-sgx helloworld throws error saying

[ubuntu@kiwifruit-desktop regression]$ graphene-sgx helloworld
error: Cannot open device /dev/sgx_enclave. Please make sure the Intel SGX kernel module is loaded.
error: load_enclave() failed with error -2

Additional information

Results of ./is-sgx-available script SGX supported by CPU: true SGX1 (ECREATE, EENTER, ...): true SGX2 (EAUG, EACCEPT, EMODPR, ...): false Flexible Launch Control (IA32_SGXPUBKEYHASH{0..3} MSRs): false SGX extensions for virtualizers (EINCVIRTCHILD, EDECVIRTCHILD, ESETCONTEXT): false Extensions for concurrent memory management (ETRACKC, ELDBC, ELDUC, ERDINFO): false CET enclave attributes support (See Table 37-5 in the SDM): false Key separation and sharing (KSS) support (CONFIGID, CONFIGSVN, ISVEXTPRODID, ISVFAMILYID report fields): false Max enclave size (32-bit): 0x80000000 Max enclave size (64-bit): 0x1000000000 EPC size: 0x5d80000 SGX driver loaded: true AESMD installed: true SGX PSW/libsgx installed: true

Let me know, why I am not able to load the enclave while executing graphene-sgx helloworld

@dimakuv @mkow or @Mic92 can you let me know how I can resolve this ?

[svenkata9]

@ntk97 Could you try executing these commands and then execute graphene-sgx?

mkdir -p /dev/sgx sudo ln -s /dev/sgx_enclave /dev/sgx/enclave sudo ln -s /dev/sgx_provision /dev/sgx/provision

[ntk97]

@ntk97 Could you try executing these commands and then execute graphene-sgx?

mkdir -p /dev/sgx sudo ln -s /dev/sgx_enclave /dev/sgx/enclave sudo ln -s /dev/sgx_provision /dev/sgx/provision

sgx_enclave and sgx_provision is not found in /dev

So, soft linking can't be a solution. but I tried the above commands, same issue persists

[ubuntu@kiwifruit-desktop regression]$ graphene-sgx helloworld
error: Cannot open device /dev/sgx_enclave. Please make sure the Intel SGX kernel module is loaded.
error: load_enclave() failed with error -2

let me know, How I could progress ?

[mkow]

@ntk97: Please reformat your issue to use proper Markdown, all lines are now merged and I'm not really sure what commands you used. Just google some Markdown guide on the internet ;)

[dimakuv]

@ntk97 Looks like you installed the DCAP out-of-tree driver on this system?

If so, remove Graphene, download it again, and in one of the build steps do:

make ISGX_DRIVER_PATH="<path-to-your-dcap-driver>" SGX=1

The path to the DCAP out-of-tree driver is typically /usr/src/sgx-1.23456/.

[mkow]

@dimakuv: I think they are using the driver from the kernel? (5.11)

[ntk97]

@dimakuv @mkow : I am using in-build kernel driver - Kernel version 5.11

[veenasai2]

from your "Results of ./is-sgx-available script" SGX2 (EAUG, EACCEPT, EMODPR, ...): false

can you please check if sgx in enabled in bios?

[ntk97]

Yes, SGX is enabled in bios. I Ran cpuid | grep SGX

results are as follows: SGX: Software Guard Extensions supported = true SGX_LC: SGX launch config supported = false Software Guard Extensions (SGX) capability (0x12/0): SGX1 supported = true SGX2 supported = false SGX ENCLV EVIRTCHILD, ESETCONTEXT = false SGX ENCLS ETRACKC, ERDINFO, ELDBC, ELDUC = false SGX attributes (0x12/1): SGX: Software Guard Extensions supported = true SGX_LC: SGX launch config supported = false Software Guard Extensions (SGX) capability (0x12/0): SGX1 supported = true SGX2 supported = false SGX ENCLV EVIRTCHILD, ESETCONTEXT = false SGX ENCLS ETRACKC, ERDINFO, ELDBC, ELDUC = false SGX attributes (0x12/1): SGX: Software Guard Extensions supported = true SGX_LC: SGX launch config supported = false Software Guard Extensions (SGX) capability (0x12/0): SGX1 supported = true SGX2 supported = false SGX ENCLV EVIRTCHILD, ESETCONTEXT = false SGX ENCLS ETRACKC, ERDINFO, ELDBC, ELDUC = false SGX attributes (0x12/1): SGX: Software Guard Extensions supported = true SGX_LC: SGX launch config supported = false Software Guard Extensions (SGX) capability (0x12/0): SGX1 supported = true SGX2 supported = false SGX ENCLV EVIRTCHILD, ESETCONTEXT = false SGX ENCLS ETRACKC, ERDINFO, ELDBC, ELDUC = false SGX attributes (0x12/1):

[svenkata9]

@ntk97 Nayana, Another suggestion that came from one of our team members based on what they came across as well - I think it could be the same issue.

Could you try executing this command and try the graphene-sgx helloworld? sudo mount -o remount,exec /dev

[ntk97]

this sudo mount -o remount,exec /dev worked on new ubuntu 20 with kernel version 5.11

Thanks and closing my issue

and Flexible Launch Control (IA32_SGXPUBKEYHASH{0..3} MSRs): false in my old machine, that is one of the reason for not able to load the enclave.